Sophos Anti-Virus 6.5.4 Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sophos Anti-Virus 6.5.4 Vulnerability
From: disclosure@xxxxxxxxxxxxxxx
Date: 6 Sep 2007 12:48:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Name                Cross Site Scripting Vulnerability in Sophos Anti-Virus 
Systems Affected    Sophos Anti-Virus, version 6.5.4 R2
Severity            Medium
Category            Cross Site Scripting
Author              Context Information Security Ltd
Advisory            6th September 2007


Description
-----------
A ZIP archive containing a virus signature with a malformed file name will 
cause a Cross Site Scripting vulnerability to be triggered from within the 
Sophos Anti Virus client.


Analysis
--------
When Sophos anti-virus scans a specially crafted ZIP archive containing a XSS 
attack string, it will internally log the string.  When this information is 
accessed via the Sophos client (SavMain.exe) the XSS attack string is 
unencoded.  When the print function is called, the application can be used to 
run arbitrary code on the target machine from an external attacker?s submitted 
file.

  
Technologies Affected
---------------------
Sophos Anti-Virus, version 6.5.4 R2


Resolution
----------
Update to version 6.5.8 or 7.0.


Vendor Response
---------------
Sophos have patched this issue in version 7.01.


CVE Details
-----------
This issue has been provisionally assigned a CVE candidate number of 
CVE-2007-4512


Disclosure Timeline
-------------------
18 April 2007    ? Initial Discovery and vendor notification
19 April 2007    ? Vendor Response
21 August 2007   ? Second Vendor Response
6 September 2007 - Coordinated Public Release


Credits
--------
Michael Jordon of Context Information Security Ltd


About Context Information Security
----------------------------------

Context Information Security Limited is a specialist information security 
consultancy based in London and Frankfurt. Context promotes the holistic 
approach to information security and helps clients to identify, assess and 
control their exposure to risk within the fields of IT, telephony and physical 
security. Context employs experienced information security professionals who 
are subject-matter experts in their various technical specialisms.  Context 
works extensively within the finance, legal, defence and government sectors, 
delivering high-end information security projects to organisations for which 
security is a priority.

Web:            www.contextis.co.uk
Email:  disclosure@xxxxxxxxxxxxxxx


About Sophos
------------

"Sophos is a world leader in IT security and control solutions purpose-built 
for business, education, government organizations and service providers. Our 
reliably engineered, easy-to-operate products protect over 100 million users in 
more than 150 countries from viruses, spyware, adware, Trojans, intrusion, 
spam, policy abuse, and uncontrolled network access."

Prev by Date: updated patch: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer
Next by Date: [HISPASEC] 2K7SEPT6 Total Commander 7.01 Remote FTP Client Directory Traversal
Previous by thread: updated patch: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer
Next by thread: [HISPASEC] 2K7SEPT6 Total Commander 7.01 Remote FTP Client Directory Traversal
Index(es):
- Date
- Thread